When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):